<html>
<head><meta charset="utf-8"><title>security badges · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html">security badges</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="136116112"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136116112" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136116112">(Oct 19 2018 at 14:49)</a>:</h4>
<p>any thoughts on a README badge like this?</p>



<a name="136116129"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136116129" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136116129">(Oct 19 2018 at 14:50)</a>:</h4>
<p><a href="/user_uploads/4715/jU0yQMzoXpRUdQcv0kY73mpE/Screen-Shot-2018-10-19-at-7.49.16-AM.png" target="_blank" title="Screen-Shot-2018-10-19-at-7.49.16-AM.png">Screen-Shot-2018-10-19-at-7.49.16-AM.png</a></p>
<div class="message_inline_image"><a href="/user_uploads/4715/jU0yQMzoXpRUdQcv0kY73mpE/Screen-Shot-2018-10-19-at-7.49.16-AM.png" target="_blank" title="Screen-Shot-2018-10-19-at-7.49.16-AM.png"><img src="/user_uploads/4715/jU0yQMzoXpRUdQcv0kY73mpE/Screen-Shot-2018-10-19-at-7.49.16-AM.png"></a></div>



<a name="136116187"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136116187" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136116187">(Oct 19 2018 at 14:50)</a>:</h4>
<p>I started using them on a few of my projects</p>



<a name="136116298"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136116298" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136116298">(Oct 19 2018 at 14:52)</a>:</h4>
<p>Here's a copy-paste of the notes on this topic from the first meeting:</p>
<p>ET: Do we also want to name and shame projects that are using unsafe in a bad way? Or assuming that they need the performance, do it w/o unsafe.<br>
BS: Instead of naming and shaming, show how things can be done better. Always propose an alternative, maybe even submit a patch.<br>
SS: Could generate badges showing percent of unsafe code in a project in order to incentivize less unsafe.<br>
TA: forbid(unsafe) could be an interesting metric. So the badge could be that you have no uses of unsafe at all.<br>
BS: We should decide what the goals are. Be careful not to make core crates which enable safe functionality look bad.<br>
GK: Make sure not to make it sound like “unsafe is only for experts.”<br>
SS: I think the point of unsafe is to be a higher bar and to raise suspicion.<br>
GK: I don’t want to make it seem like the next important unsafe-using crate should only be written by experts.<br>
BS: There are other security considerations beyond unsafe (e.g., for crypto). Also not convinced that the crate is the right granularity for this. E.g.: What about unsafe hidden behind a safe API?<br>
ET: An old idea was to add an audit annotation to unsafe code to declare that it’d been reviewed/checked. Might even go as far as a digital signature. Could add an audit flag/attribute, and have a badge for that.<br>
BS: Use of dangerous constructs can be a metric of this group’s success.</p>



<a name="136116353"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136116353" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136116353">(Oct 19 2018 at 14:53)</a>:</h4>
<p>I like the idea of having a badge for "all my <code>unsafe</code>s are audited", which would be a superset of "I don't use <code>unsafe</code>".</p>



<a name="136116360"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136116360" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136116360">(Oct 19 2018 at 14:53)</a>:</h4>
<p>So all crates w/o <code>unsafe</code> would get that badge automatically.</p>



<a name="136116422"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136116422" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136116422">(Oct 19 2018 at 14:54)</a>:</h4>
<p><span class="user-mention" data-user-id="119194">@Erick Tryzelaar</span> might have thoughts on how to do the review annotations.</p>



<a name="136121940"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136121940" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136121940">(Oct 19 2018 at 16:20)</a>:</h4>
<p>Isn't this an example of "Goodhart's law"?</p>



<a name="136121974"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136121974" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136121974">(Oct 19 2018 at 16:20)</a>:</h4>
<p>If we measure how much unsafe is in a project, the unsafe will get moved to a place less visible.</p>



<a name="136121991"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136121991" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136121991">(Oct 19 2018 at 16:20)</a>:</h4>
<p>that's why I'm a fan of <code>forbid</code> <span class="emoji emoji-1f609" title="wink">:wink:</span></p>



<a name="136122295"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136122295" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136122295">(Oct 19 2018 at 16:25)</a>:</h4>
<p>Does forbid mean that there is no unsafe code in any module in the dependency chain?</p>



<a name="136122956"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136122956" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136122956">(Oct 19 2018 at 16:36)</a>:</h4>
<p>unfortunately not <span class="emoji emoji-1f622" title="cry">:cry:</span></p>



<a name="136122960"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136122960" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136122960">(Oct 19 2018 at 16:36)</a>:</h4>
<p>a transitive forbid would be fantastic</p>



<a name="136123860"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136123860" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136123860">(Oct 19 2018 at 16:49)</a>:</h4>
<p>I fear some crates will split into cool-crate-totally-safe which will depend on cool-crate-but-with-the-unsafe-parts.</p>



<a name="136123956"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136123956" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136123956">(Oct 19 2018 at 16:50)</a>:</h4>
<p>Additionally, some crates will unwittingly depend on potentially exploitable unsafe code, but still proudly put on the "unsafe forbidden" badge, which I feel is sending the wrong message to clients of that crate.</p>



<a name="136124726"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136124726" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136124726">(Oct 19 2018 at 17:02)</a>:</h4>
<p>yeah, a README badge can always be a bit deceiving</p>



<a name="136124780"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136124780" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136124780">(Oct 19 2018 at 17:03)</a>:</h4>
<p>Good point.</p>



<a name="136124792"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136124792" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136124792">(Oct 19 2018 at 17:03)</a>:</h4>
<p>Maybe if a client clicks the badge, it links to a full audit chain of that package that will show the unsafe dependencies.</p>



<a name="136124867"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136124867" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136124867">(Oct 19 2018 at 17:04)</a>:</h4>
<p>I appreciate that the goal is to nudge devs away from using unsafe where possible, and the badge would be a net good in that effort even if it can be abused sometimes.</p>



<a name="136124946"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136124946" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136124946">(Oct 19 2018 at 17:05)</a>:</h4>
<p>I just don't feel "some humans I've never heard of looked at it and said it's okay" is a security gurarantee worth pursuing. If anything, I'd rather have correctness proofs with tools such as SMACK, which are an actual assurance (under certain assumptions)</p>



<a name="136125043"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136125043" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136125043">(Oct 19 2018 at 17:06)</a>:</h4>
<p>Shnatsel, is that with respect to the badging or to adding audit annotations?</p>



<a name="136125051"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136125051" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136125051">(Oct 19 2018 at 17:06)</a>:</h4>
<p>Am I correct in assuming those are orthogonal efforts?</p>



<a name="136125054"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136125054" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136125054">(Oct 19 2018 at 17:06)</a>:</h4>
<p>Adding audit annotations</p>



<a name="136125099"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136125099" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136125099">(Oct 19 2018 at 17:07)</a>:</h4>
<p>While the tooling for automated verification has just been ported and so has some rough edges, it doesn't seem to be terribly hard to use. See <a href="http://soarlab.org/publications/atva2018-bhr.pdf" target="_blank" title="http://soarlab.org/publications/atva2018-bhr.pdf">http://soarlab.org/publications/atva2018-bhr.pdf</a> for the porting story and some examples.</p>



<a name="136125171"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136125171" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136125171">(Oct 19 2018 at 17:08)</a>:</h4>
<p>(Moved to correctness proofs stream)</p>



<a name="136129095"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136129095" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136129095">(Oct 19 2018 at 18:10)</a>:</h4>
<p>I disagree that an annotation about human checking isn't good enough. I agree that proofs are cool and desirable, but the reality is that most people aren't going to write proofs, and if my only options are to choose between un-annotated <code>unsafe</code> and <code>unsafe</code> which a human has at least thought about pretty hard and written down their thoughts, I prefer the latter. I also think that we'll get a lot more milage out of encouraging that approach than encouraging verified proofs.</p>



<a name="136130064"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136130064" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136130064">(Oct 19 2018 at 18:26)</a>:</h4>
<p>I was under the impression that tools such as SMACK provide not quite as in-depth assurances as manual proofs with interactive proof assistants do, but are in the same ballpark in terms of usage difficulty as fuzzers, and provide greater assurance. If that is not the case I'd tend to agree, but I'm not yet convinced that is not the case <span class="emoji emoji-1f61c" title="stuck out tongue wink">:stuck_out_tongue_wink:</span></p>



<a name="136191921"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136191921" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136191921">(Oct 21 2018 at 01:02)</a>:</h4>
<p>haha, <code>lazy_static</code> breaks <code>#[forbid(unsafe_code)]</code></p>



<a name="136191932"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136191932" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136191932">(Oct 21 2018 at 01:03)</a>:</h4>
<p>That's unfortunate. I have no proposal for how you could fix that, but this feels like it ought to be a bug somewhere.</p>



<a name="136192400"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136192400" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136192400">(Oct 21 2018 at 01:20)</a>:</h4>
<p>That should have been covered by <a href="https://github.com/rust-lang/rust/issues/48855" target="_blank" title="https://github.com/rust-lang/rust/issues/48855">https://github.com/rust-lang/rust/issues/48855</a></p>



<a name="136192408"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136192408" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136192408">(Oct 21 2018 at 01:20)</a>:</h4>
<p>well, it was for <code>deny</code> — <a href="https://github.com/rust-lang/rust/issues/48385#issuecomment-367142273" target="_blank" title="https://github.com/rust-lang/rust/issues/48385#issuecomment-367142273">https://github.com/rust-lang/rust/issues/48385#issuecomment-367142273</a></p>



<a name="136200452"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136200452" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136200452">(Oct 21 2018 at 05:43)</a>:</h4>
<p>I personally think we should drop the security badge idea, deeming it out of scope. In particular, I think the design of <code>unsafe</code> as it exists now in Rust is highly questionable and I don't think I'm the only one. If the design of <code>unsafe</code> itself is unquestionable then IMO it's premature to gamify its use/non-use even if such gamification were otherwise a good idea. See <a href="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=f2e8f93ce0ae2823b6de0e3f29b01b21" target="_blank" title="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=f2e8f93ce0ae2823b6de0e3f29b01b21">https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=f2e8f93ce0ae2823b6de0e3f29b01b21</a> and <a href="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=8ecb524f00ba696379853be7f0d2e479" target="_blank" title="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=8ecb524f00ba696379853be7f0d2e479">https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=8ecb524f00ba696379853be7f0d2e479</a> for some examples of why I'm skeptical of the current design of <code>unsafe</code> as it stands today.</p>



<a name="136270708"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136270708" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136270708">(Oct 22 2018 at 14:24)</a>:</h4>
<p>haha, some stronger reactions than I was expecting. what I was getting at with these sorts of badges was all other things being equal, given a choice between a crate which uses unsafe and one that does not, I would prefer people pick the safe crate. the <code>base64</code> crate is a relevant example</p>



<a name="136270724"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136270724" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136270724">(Oct 22 2018 at 14:24)</a>:</h4>
<p>and more generally, discourage the use of <code>unsafe</code> when it isn't necessary</p>



<a name="136277900"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136277900" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136277900">(Oct 22 2018 at 16:23)</a>:</h4>
<p>on a separate but somewhat related note, I have ideas for unsafe improvements, but that could probably use its own topic</p>



<a name="136277913"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136277913" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136277913">(Oct 22 2018 at 16:23)</a>:</h4>
<p>regarding this topic, any ideas for security-related badges other than unsafe?</p>



<a name="136277985"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136277985" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136277985">(Oct 22 2018 at 16:24)</a>:</h4>
<p>I could potentially do some sort of RustSec badge</p>



<a name="136278013"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136278013" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136278013">(Oct 22 2018 at 16:24)</a>:</h4>
<p>Like a badge that says none of your deps have a known advisory?</p>



<a name="136278415"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136278415" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136278415">(Oct 22 2018 at 16:30)</a>:</h4>
<p>yep, ala many similar systems that do the same thing for other language-specific vuln databases</p>



<a name="136278904"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136278904" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136278904">(Oct 22 2018 at 16:39)</a>:</h4>
<p>Sounds good to me.</p>



<a name="136278988"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136278988" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136278988">(Oct 22 2018 at 16:40)</a>:</h4>
<p>it would require RustSec-as-a-service which might be a bit tricky, heh</p>



<a name="136279051"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136279051" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136279051">(Oct 22 2018 at 16:41)</a>:</h4>
<p>Shouldn't be too hard. We just have to find someone willing to donate us some infrastucture</p>



<a name="136281200"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136281200" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136281200">(Oct 22 2018 at 17:15)</a>:</h4>
<p>I could donate the infrastructure for something like that</p>



<a name="136281284"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136281284" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136281284">(Oct 22 2018 at 17:17)</a>:</h4>
<p>That may not be necessary. I wonder if Mozilla would be willing to host something like that.</p>



<a name="136281294"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136281294" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136281294">(Oct 22 2018 at 17:17)</a>:</h4>
<p>I have no idea how official this working group is though.</p>



<a name="136284537"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136284537" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136284537">(Oct 22 2018 at 18:16)</a>:</h4>
<p>It's not official in the sense of not being able to speak on behalf of the Rust project. It's official in the sense of being sanctioned by the Rust project.</p>



<a name="136284579"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136284579" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136284579">(Oct 22 2018 at 18:17)</a>:</h4>
<p>Also, wrt a RustSec badge, I'd be worried that it would just mean that crates that nobody looks at get the badge. If we had a high volume of vuln reports, it might give us meaningful data, but I think we get too few vuln reports to extract any meaningful signal from the noise.</p>



<a name="136325268"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136325268" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136325268">(Oct 23 2018 at 09:09)</a>:</h4>
<p>I don't think a badge is a good place for the "no dependencies have a known advisory" info. I'd expect <code>cargo build</code> to complain loudly if they do; perhaps <a href="http://crates.io" target="_blank" title="http://crates.io">crates.io</a> notifying maintainers that their dependencies have known advisories; but a readme badge sounds a lot less useful and would require a great deal more infrastructure.</p>



<a name="136350192"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136350192" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136350192">(Oct 23 2018 at 17:00)</a>:</h4>
<p><code>cargo build</code> can only tell you about your security advisories if you regularly build your crate.</p>



<a name="136350243"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136350243" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136350243">(Oct 23 2018 at 17:01)</a>:</h4>
<p>A notification seems like the key piece of the puzzle. The badge is nice because it's an external signal to clients of a crate that the maintainers care about security.</p>



<a name="136352591"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136352591" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136352591">(Oct 23 2018 at 17:34)</a>:</h4>
<p>I still am concerned that badges are only helpful if a negative signal is helpful. Right now, we don't get enough vuln reports for "this crate doesn't have a vuln report" to mean anything.</p>



<a name="136352651"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136352651" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136352651">(Oct 23 2018 at 17:34)</a>:</h4>
<p>At this point, "this crate has had vuln reports" basically just means "this crate is used enough that people bothered looking."</p>



<a name="136546283"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136546283" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> qmx <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136546283">(Oct 26 2018 at 13:20)</a>:</h4>
<blockquote>
<p>I could donate the infrastructure for something like that</p>
</blockquote>
<p>I can check with my employer (DigitalOcean), I think we could get machines/credit donated for this effort.</p>



<a name="136563748"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136563748" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136563748">(Oct 26 2018 at 18:03)</a>:</h4>
<p>I've been doing some brainstorming and I have a version of this working that generates the audits as part of a gitlab ci run.</p>



<a name="136563771"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136563771" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136563771">(Oct 26 2018 at 18:04)</a>:</h4>
<p>It seems to be working pretty well. It can build and audit in about 5 minutes and I can schedule CI jobs using cron syntax, currently set for hourly.</p>



<a name="136564076"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136564076" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136564076">(Oct 26 2018 at 18:08)</a>:</h4>
<p>Could we add <code>cargo audit</code> (or whatever tool you're working on) as a CI pass? So, e.g., in your <code>.travis.yml</code>, run a tool which fails the CI test if your dependency graph has any known vulns?</p>



<a name="136564116"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136564116" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136564116">(Oct 26 2018 at 18:09)</a>:</h4>
<p>I'll defer to the <span class="user-mention" data-user-id="132721">@Tony Arcieri</span> who made the cargo audit.</p>



<a name="136564124"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136564124" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136564124">(Oct 26 2018 at 18:09)</a>:</h4>
<p>I'm making more of a <code>crates-audit</code>.</p>



<a name="136564203"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136564203" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136564203">(Oct 26 2018 at 18:10)</a>:</h4>
<p>The thing I'm making generates a data structure like this:</p>
<div class="codehilite"><pre><span></span>#[derive(Serialize, Deserialize, PartialEq)]
struct CratesAudit {
    crates_index_commit: String,
    advisory_db_commit: String,
    // Map of crate name to list of RustSec advisory IDs.
    advisories: BTreeMap&lt;String, Vec&lt;String&gt;&gt;,
}
</pre></div>



<a name="136564335"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136564335" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136564335">(Oct 26 2018 at 18:13)</a>:</h4>
<p>Gotcha</p>



<a name="136564531"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136564531" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136564531">(Oct 26 2018 at 18:16)</a>:</h4>
<p>Another slight difference is that <code>cargo audit</code> uses a Cargo.lock file as opposed to <code>crates-audit</code> which does its own dependency resolution.</p>



<a name="136573683"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136573683" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136573683">(Oct 26 2018 at 21:03)</a>:</h4>
<p>Neat! Let me know when you publish the code, it would be very interesting to poke at it. Also, this has been on my "cool project I can't get around to" list for a long time, so thanks for actually stepping up and doing it!</p>



<a name="136573791"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136573791" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Zach Reizner <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136573791">(Oct 26 2018 at 21:05)</a>:</h4>
<p>Thanks. It was a right place right time kind of situation because I already had the crates indexing and dependency resolution code written but I no longer needed it for its original purpose.</p>



<a name="136657038"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136657038" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136657038">(Oct 28 2018 at 15:36)</a>:</h4>
<p>Yeah likewise, this has been suggested several times but I've never had time to work on it.</p>



<a name="136657050"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136657050" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136657050">(Oct 28 2018 at 15:36)</a>:</h4>
<p>and yeah, <code>cargo audit</code> is good to go for CI. Per <span class="user-mention" data-user-id="130046">@Alex Gaynor</span>'s issue I should document Travis at least</p>



<a name="136657053"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136657053" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136657053">(Oct 28 2018 at 15:36)</a>:</h4>
<p>I use it on Travis</p>



<a name="136657059"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136657059" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136657059">(Oct 28 2018 at 15:36)</a>:</h4>
<p>(and CircleCI, and Cloud Build, but that's a different story)</p>



<a name="136658995"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/136658995" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#136658995">(Oct 28 2018 at 16:16)</a>:</h4>
<p>Yeah, I don't think it's rocket science to set up, just want to drag that barrier down.</p>



<a name="137114870"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137114870" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137114870">(Nov 03 2018 at 14:16)</a>:</h4>
<p>Sorry I'd dropped off the radar for a bit.  I actually just recently starting on a crate to measure unsafe coverage inside a crate.  Before I dove too deep on it I wanted to check with the group to make sure one doesn't already exist.</p>



<a name="137114880"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137114880" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137114880">(Nov 03 2018 at 14:17)</a>:</h4>
<p>Plan is walking the crate with syn, measure unsafe usage and get a percentage than can be shown off in a badge.  So far it looks fairly straight forward.</p>



<a name="137129543"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137129543" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137129543">(Nov 03 2018 at 21:33)</a>:</h4>
<p><span class="user-mention" data-user-id="132722">@Stuart Small</span> I'm curious how the uses of unsafe will be counted. Consider <a href="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=61340cde2f564c4f9dbc9af0bf99e87c" target="_blank" title="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=61340cde2f564c4f9dbc9af0bf99e87c">https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=61340cde2f564c4f9dbc9af0bf99e87c</a> vs <a href="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=ff104f86e8a21c7be6e2a0c5c097e6b5" target="_blank" title="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=ff104f86e8a21c7be6e2a0c5c097e6b5">https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=ff104f86e8a21c7be6e2a0c5c097e6b5</a> vs <a href="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=1235743a7a0bac91990f0eb252a77571" target="_blank" title="https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=1235743a7a0bac91990f0eb252a77571">https://play.rust-lang.org/?version=stable&amp;mode=debug&amp;edition=2015&amp;gist=1235743a7a0bac91990f0eb252a77571</a>. Would they have the same score or different scores?</p>



<a name="137133880"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137133880" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137133880">(Nov 04 2018 at 00:01)</a>:</h4>
<p>I'm still playing around with it.  I'm new to syn.  From what I've read so far it will be on the expression level, so the first two will be equal but the 3rd one will show a lower percentage of unsafe.  I believe it's correct to have the 3rd example to have a better score because while the usage of unsafe is the same, the surface area to audit is smaller.</p>



<a name="137144113"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137144113" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137144113">(Nov 04 2018 at 06:05)</a>:</h4>
<p>A did a quick POC of my approach on this and included a couple of the case you mentioned <span class="user-mention" data-user-id="133214">@Brian Smith</span> .  It can be found here:  <a href="https://github.com/stusmall/cargo-unsafe-coverage" target="_blank" title="https://github.com/stusmall/cargo-unsafe-coverage">https://github.com/stusmall/cargo-unsafe-coverage</a></p>
<p>I added a couple of the examples you'd mentioned in there are unit tests.  To get this far it was pretty smooth sailing, itll just be the work of filling out implementation for different AST states and handling them.  Something like this can encourage people to either advertise their lack of unsafe code or help encourage concentrating it in smaller, more central, audit-able locations.  Like any metric, like code coverage, it isn't perfect but can help encourage good practices.</p>



<a name="137150943"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137150943" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137150943">(Nov 04 2018 at 10:20)</a>:</h4>
<blockquote>
<p>I believe it's correct to have the 3rd example to have a better score because while the usage of unsafe is the same, the surface area to audit is smaller.</p>
</blockquote>
<p>Any approach that takes into account how often the <code>unsafe</code> keyword appears in the rating beyond "it never appears" and "it appears at least once" is probably incorrect. </p>
<p>So I'm interested too into how this unsafe rating would work. Is there a document explaining it anywhere?</p>



<a name="137151711"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137151711" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137151711">(Nov 04 2018 at 10:47)</a>:</h4>
<p>I've toyed with the idea of measuring coverage of unsafe code already, discussed it with some folks, and arrived to the conclusion that it's simply impossible to produce a meaningful result. Here's an extreme example: <a href="https://github.com/WanzenBug/rust-fixed-capacity-vec" target="_blank" title="https://github.com/WanzenBug/rust-fixed-capacity-vec">https://github.com/WanzenBug/rust-fixed-capacity-vec</a> at one point in its history had exactly one <code>unsafe</code> block with just one line it in. It was in creation of fixed-capacity vector view, so any conceivable test would enter that line; it would have 100% unsafe coverage by any conceivable metric. However, the safety of that line depended on <em>the entire rest of the code in the module,</em> all of which is safe, upholding a certain non-trivial invariant.<br>
So such metrics would be often useless at best and wildly misleading at worst.</p>



<a name="137152019"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137152019" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137152019">(Nov 04 2018 at 10:59)</a>:</h4>
<p>Those are pretty much my thoughts too <span class="user-mention" data-user-id="127617">@Shnatsel</span> . I think the only useful metric is whether the crate uses unsafe at all or not, and if you want something more fine grained, how many % of the modules in a crate use unsafe at all or not (where if a module uses unsafe, you have to count all its child modules as using unsafe as well).</p>



<a name="137152089"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137152089" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137152089">(Nov 04 2018 at 11:01)</a>:</h4>
<p><a href="https://github.com/anderejd/cargo-geiger" target="_blank" title="https://github.com/anderejd/cargo-geiger">https://github.com/anderejd/cargo-geiger</a> does that, also with dependencies and transitive dependencies</p>



<a name="137159080"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137159080" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137159080">(Nov 04 2018 at 15:10)</a>:</h4>
<p>No documentation yet.   Last night was my first pass at setting it up.  It looks for the amount of code covered by unsafe blocks.  It isn't a count of unsafe blocks or the number of lines inside them,  but the count of statements inside that block or method.</p>
<p>As for the any unsafe is enough, I'm trying to keep the actix case in mind.  In the early days of the project it had a lot of unsafe usage in the crate.  The community found it and help reduce it down to a few small places where it was needed for performance.  Something like this could be a quick smoke test for heavy unsafe usage in where it doesn't make sense, but a little unsafe does.</p>



<a name="137159461"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137159461" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137159461">(Nov 04 2018 at 15:21)</a>:</h4>
<p><a href="https://github.com/anderejd/cargo-geiger" target="_blank" title="https://github.com/anderejd/cargo-geiger">https://github.com/anderejd/cargo-geiger</a> already counts the total amount of expressions under unsafe per crate, as well as number of unsafe impls, traits and methods. I.e. it seems to be already doing what you're trying to achieve.</p>



<a name="137159523"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137159523" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137159523">(Nov 04 2018 at 15:23)</a>:</h4>
<blockquote>
<p>It isn't a count of unsafe blocks or the number of lines inside them, but the count of statements inside that block or method.</p>
</blockquote>
<p>Yeah so this approach is incorrect, the count of statements inside an unsafe block isn't a measure for the amount of unsafe code.</p>



<a name="137159583"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137159583" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137159583">(Nov 04 2018 at 15:25)</a>:</h4>
<p>It would catch the Actix case though, which seems to be the design goal.</p>



<a name="137159631"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137159631" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137159631">(Nov 04 2018 at 15:26)</a>:</h4>
<p>For that goal, <code>grep</code> would arguably be enough?</p>



<a name="137159646"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137159646" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137159646">(Nov 04 2018 at 15:27)</a>:</h4>
<p>True. That's what I tend to use.</p>



<a name="137159802"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137159802" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137159802">(Nov 04 2018 at 15:31)</a>:</h4>
<p>I think if one is going to give crates a score based on <code>unsafe</code>, one should really think through what would happen if people would optimize for that goal. AFAICT given what <span class="user-mention" data-user-id="132722">@Stuart Small</span> proposed, such a tool would encourage using minimally scoped <code>unsafe</code> blocks to minimize the number of "unsafe statements", but that's something that the std library explicitly avoids because it gives the impression that the unsafety is only present in those parts of the code, while in reality, one needs to inspect the whole function, module, child modules, etc. So under this model, optimizing to reduce such a score would actually be introducing anti-patterns that make the code more "unsafe".</p>
<p>For example, if you have a struct with a <code>Vec</code>, and a single <code>unsafe</code> block in the module doing a <code>unsafe { self.vec.set_len(self.vec.len() + 1) }</code>, that might have a tiny statement count, but in reality, everything that can directly or indirectly access <code>self.vec</code> becomes unsafe due to this, even though one doesn't need to add more unsafe blocks. So that ought to have a larger "danger" associated with it than maybe doing a raw pointer dereference, where either doing it succeeds or not, but is something that can be prevented fairly locally with an <code>assert!</code> without tainting the whole module.</p>



<a name="137162402"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137162402" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137162402">(Nov 04 2018 at 16:38)</a>:</h4>
<p>Oh wow.  I hadn't caught that they had added that since the last time I looked at that crate.  Nevermind</p>



<a name="137162425"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137162425" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137162425">(Nov 04 2018 at 16:39)</a>:</h4>
<p>Last time I had looked a geiger just gave a thumbs up/thumbs down on if it had unsafe.</p>



<a name="137162848"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137162848" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Stuart Small <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137162848">(Nov 04 2018 at 16:49)</a>:</h4>
<p>Hmmm.  Now that at it I think I imagined it was only a yes or no.  Looks like it's always gathered stats on the usage.  Glad I brought this up with the group before I went to far on it.</p>



<a name="137165907"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137165907" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137165907">(Nov 04 2018 at 18:16)</a>:</h4>
<p><span class="user-mention" data-user-id="132920">@gnzlbg</span> If it is true that the stdlib intentionally avoids minimizing the scope of <code>unsafe</code> blocks "because it gives the impression that the unsafety is only present in those parts" then we should change that. I think minimizing the amount of code that is within <code>unsafe</code> makes the use of <code>unsafe</code> much clearer and also avoids unnecessary and accidental unsafe code.</p>



<a name="137166047"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137166047" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137166047">(Nov 04 2018 at 18:21)</a>:</h4>
<p><span class="user-mention" data-user-id="133214">@Brian Smith</span>  Most functions in the std library using <code>unsafe</code> just wrap the whole function content in a big <code>unsafe { ... }</code> block. I personally disagree that minimally scoped unsafe blocks make anything clearer. When one uses minimally scoped unsafe blocks most undefined behavior related bugs start happening out of any unsafe block. Also people modifying code outside unsafe blocks pay less attention than those modifying unsafe blocks. Larger than minimal unsafe blocks are an indication that modifying anything inside the block has to be done with extra care.</p>
<p>And that's the root of the problem: once your crate/module has a single use of <code>unsafe {}</code>, no matter how minimally scoped, an error in "safe" Rust code can introduce undefined behavior. Its not "is this unsafe code correct", but "is all of this code correct given that unsafe is used somewhere".</p>



<a name="137166147"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137166147" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137166147">(Nov 04 2018 at 18:24)</a>:</h4>
<p>Well... on one hand, seeing which of the calls are to <code>unsafe fn</code> and which aren't at a glance would be helpful so I could look them all up, make a list of invariants that they require to be upheld, and then check that they're actually upheld. On the other hand, it could create a lot of noise. So sounds like highlighting calls to unsafe fn would be better solved with an IDE plugin.</p>



<a name="137166222"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137166222" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137166222">(Nov 04 2018 at 18:27)</a>:</h4>
<p>Highlighting calls to <code>unsafe fn</code> is a great idea, but there are things that require unsafe that are not <code>unsafe fn</code> (e.g. dereferencing raw pointers, creating a reference to a packed struct field, reading from an union, etc.) and all of these could be happening inside the same <code>unsafe</code> block, so ideally all of these would be "highlighted", underlined, or something.</p>



<a name="137166273"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137166273" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137166273">(Nov 04 2018 at 18:28)</a>:</h4>
<p>Wanna open a feature request against RLS or whatever should be handling this?</p>



<a name="137166274"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137166274" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137166274">(Nov 04 2018 at 18:28)</a>:</h4>
<p>RLS or the rust-analyzer should be the tools that expose this information</p>



<a name="137166401"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137166401" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137166401">(Nov 04 2018 at 18:32)</a>:</h4>
<p>Huh, I did not know about rust-analyzer. Thanks for pointing it out.</p>



<a name="137166402"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137166402" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137166402">(Nov 04 2018 at 18:32)</a>:</h4>
<p>Care to open feature requests against them?</p>



<a name="137166462"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137166462" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137166462">(Nov 04 2018 at 18:35)</a>:</h4>
<p><a href="https://github.com/rust-analyzer/rust-analyzer/issues/190" target="_blank" title="https://github.com/rust-analyzer/rust-analyzer/issues/190">https://github.com/rust-analyzer/rust-analyzer/issues/190</a></p>



<a name="137169164"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169164" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> briansmith <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169164">(Nov 04 2018 at 20:05)</a>:</h4>
<p><span class="user-mention" data-user-id="132920">@gnzlbg</span> Sure, but in that case every Rust program is "unsafe" because they all depend on libstd/libcore which use <code>unsafe</code>. <code>unsafe</code> isn't meant to delimit the scope of what's affected by unsafe constructs; it delimits the direct use of unsafe constructs only. The argument that minimizing the scope of <code>unsafe</code> because it is confusing as to what the ultimate unsafe effect can be is targeting a mental model of <code>unsafe</code> that's just incorrect.</p>



<a name="137169264"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169264" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169264">(Nov 04 2018 at 20:08)</a>:</h4>
<blockquote>
<p>Sure, but in that case every Rust program is "unsafe" because they all depend on libstd/libcore which use unsafe</p>
</blockquote>
<p>Iff the public API of libstd/libcore is sound, then every Rust programs that only interacts with these via safe public APIs is sound too (not unsafe).</p>



<a name="137169275"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169275" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169275">(Nov 04 2018 at 20:09)</a>:</h4>
<p>The key difference is that code inside a module (and child modules) does not need to interact with the module its defined in through its public API. This code can, for example, use <code>safe Rust</code> code to modify private struct fields, potentially introducing undefined behavior because of interaction with some <code>unsafe</code> code somewhere else in the module that did not expect those modifications.</p>



<a name="137169447"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169447" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169447">(Nov 04 2018 at 20:14)</a>:</h4>
<p>Once <code>unsafe</code> appears once inside a module, modifying code anywhere in the module or child modules can introduce undefined behavior independently of whether the code being modified is inside an <code>unsafe</code> block or not. Minimizing the scope of <code>unsafe</code> blocks does not make anything safer per se, it just changes the region that whoever write the code wants to highlight to the reader as being "unsafe".</p>



<a name="137169586"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169586" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169586">(Nov 04 2018 at 20:19)</a>:</h4>
<p>Some people like to highlight the bare minimum, the std library likes to highlight whole functions, or largerish parts of functions.</p>



<a name="137169645"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169645" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169645">(Nov 04 2018 at 20:20)</a>:</h4>
<p>This all might be too abstract, but one example of this practice is the <code>RawVec</code> module in case someone is wondering how this all looks in the standard library: <a href="https://github.com/rust-lang/rust/blob/master/src/liballoc/raw_vec.rs#L90" target="_blank" title="https://github.com/rust-lang/rust/blob/master/src/liballoc/raw_vec.rs#L90">https://github.com/rust-lang/rust/blob/master/src/liballoc/raw_vec.rs#L90</a></p>



<a name="137169653"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169653" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169653">(Nov 04 2018 at 20:21)</a>:</h4>
<p><a href="https://github.com/rust-lang/rust/blob/master/src/liballoc/raw_vec.rs#L239" target="_blank" title="https://github.com/rust-lang/rust/blob/master/src/liballoc/raw_vec.rs#L239">https://github.com/rust-lang/rust/blob/master/src/liballoc/raw_vec.rs#L239</a></p>



<a name="137169696"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169696" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169696">(Nov 04 2018 at 20:22)</a>:</h4>
<p><a href="https://github.com/rust-lang/rust/blob/master/src/liballoc/raw_vec.rs#L359" target="_blank" title="https://github.com/rust-lang/rust/blob/master/src/liballoc/raw_vec.rs#L359">https://github.com/rust-lang/rust/blob/master/src/liballoc/raw_vec.rs#L359</a></p>



<a name="137169704"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169704" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169704">(Nov 04 2018 at 20:23)</a>:</h4>
<p>This RawVec is the code where <a href="https://github.com/rust-lang/rust/issues/44800" target="_blank" title="https://github.com/rust-lang/rust/issues/44800">CVE-2018-1000657</a> happened</p>



<a name="137169772"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169772" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169772">(Nov 04 2018 at 20:24)</a>:</h4>
<p>No, that CVE happened in <code>VecDeque</code>: <a href="https://github.com/rust-lang/rust/pull/44802/files" target="_blank" title="https://github.com/rust-lang/rust/pull/44802/files">https://github.com/rust-lang/rust/pull/44802/files</a></p>



<a name="137169791"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169791" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169791">(Nov 04 2018 at 20:26)</a>:</h4>
<p>Good catch, I stand corrected. Apparently I forgot the details since I applied for CVE</p>



<a name="137169834"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169834" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169834">(Nov 04 2018 at 20:26)</a>:</h4>
<p><code>VecDeque</code> uses <code>RawVec</code>, and relies a lot in the exact behavior of some of <code>RawVec</code>'s internals for correctness (exact allocation doubling behavior, etc.), but that's another story..</p>



<a name="137169838"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169838" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169838">(Nov 04 2018 at 20:26)</a>:</h4>
<p>I believe there was a safety regression this cycle in either VecDeque or RawVec, which was caught in beta or some such. I could look up the details if anyone's interested.</p>



<a name="137169897"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169897" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169897">(Nov 04 2018 at 20:28)</a>:</h4>
<p>haven't heard of that one, but having re-implemented most of <code>VecDeque</code> API in <code>SliceDeque</code>, it isn't hard to break safety with tiny mistakes while writing these types of data-structures</p>



<a name="137169922"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137169922" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137169922">(Nov 04 2018 at 20:29)</a>:</h4>
<p>huh, is that some kind of fixed-capacity double-ended queue?</p>



<a name="137170011"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137170011" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137170011">(Nov 04 2018 at 20:31)</a>:</h4>
<p>it is dynamically-resizable, but the elements always form a contiguous slice</p>



<a name="137170088"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137170088" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137170088">(Nov 04 2018 at 20:33)</a>:</h4>
<p>Ah, okay. I was hoping it could be a shortcut implementing <a href="https://internals.rust-lang.org/t/pre-rfc-fixed-capacity-view-of-vec/8413" target="_blank" title="https://internals.rust-lang.org/t/pre-rfc-fixed-capacity-view-of-vec/8413">a fixed-capacity view of Vec</a>, because manually enforcing lack of reallocation in the undelying Vec is not fun, especially since Vec reallocation behavior is very loosely specified for methods that insert multiple elements.</p>



<a name="137170136"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137170136" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137170136">(Nov 04 2018 at 20:34)</a>:</h4>
<p>There is a prototype implementation that's even reasonably fast, but I'm pretty sure it still has some issues e.g. with panic safety for types implementing Drop</p>



<a name="137170226"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137170226" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137170226">(Nov 04 2018 at 20:37)</a>:</h4>
<p>I've seen that RFC but I had mixed feelings about it. I kind of wish that instead it would propose a <code>&amp;mut VecView</code> that would also work with <code>ArrayVec</code>, <code>SmallVec</code>, <code>Vec</code>, etc. Having such a type only for <code>Vec</code> feels a bit "not widely-useful enough".</p>



<a name="137170502"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137170502" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137170502">(Nov 04 2018 at 20:45)</a>:</h4>
<p>That doesn't sound terribly hard to implement, actually. Currently we only have a constructor from Vec but there is no reason it wouldn't work with other types that have a properly aligned backing buffer with a known capacity and length.</p>



<a name="137170563"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137170563" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> gnzlbg <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137170563">(Nov 04 2018 at 20:46)</a>:</h4>
<p>This <code>View</code> type only needs a <code>(*mut T,usize,usize)</code>, and it cannot grow the underlying vector anyways because <code>ArrayVec</code> cannot grow beyond its capacity, and growing a <code>SmallVec</code> is non-trivial either, so it kind of is what you are looking for, but works for more cases.</p>



<a name="137170577"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/137170577" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#137170577">(Nov 04 2018 at 20:47)</a>:</h4>
<p>Post that to the thread. Sounds like a pretty good idea that's fairly easy to implement</p>



<a name="146818356"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/146818356" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Liebow-Feeser <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#146818356">(Nov 05 2018 at 19:38)</a>:</h4>
<p>Here's a different take on the issue: What we're really trying to do is figure out which code is in the TCB (i.e., the set of code which, if buggy, could cause unsoundness), and which code isn't. Can we think of a way to automatically figure out (or at least estimate the size of) that TCB? I suspect the answer is "no," but maybe we could get close with some code conventions?</p>



<a name="158383989"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/158383989" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Grant Husbands <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#158383989">(Feb 12 2019 at 20:16)</a>:</h4>
<p>So I'm late to this thread and just noted the "Most functions in the std library using unsafe just wrap the whole function content in a big unsafe { ... } block". I agree that that makes sense, given that unsafety 'leaks' to the wider scope, but should there then be a way of tagging the bits that need to be unsafe in order to compile? Maybe nested unsafe blocks could do that (if unused_unsafe warnings were off by defaut).</p>



<a name="158557954"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/security%20badges/near/158557954" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/security.20badges.html#158557954">(Feb 14 2019 at 19:40)</a>:</h4>
<p>sounds like what I proposed here <a href="https://internals.rust-lang.org/t/crate-capability-lists/8933/2" target="_blank" title="https://internals.rust-lang.org/t/crate-capability-lists/8933/2">https://internals.rust-lang.org/t/crate-capability-lists/8933/2</a></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>